Re: Weird new malware

2017-11-08 Thread Pedro David Marco
> Of course that should be: > > describe  SCC_MIME_BOGUSCT1  Bogus /mixed Content-Type > header    SCC_MIME_BOGUSCT1  Content-Type =~ /^(? score    SCC_MIME_BOGUSCT1  2 >Hmmm... For some reason I do not understand, the anchor doesn't work, >so: Bill the negative lookbehind does not

Re: Weird new malware

2017-11-08 Thread Dianne Skoll
Hi, In case anyone wants an actual sample: https://pastebin.com/raw/R3b0UHsB Regards, Dianne.

Re: Weird new malware

2017-11-08 Thread Bill Cole
On 8 Nov 2017, at 14:15, Bill Cole wrote: Of course that should be: describe SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type headerSCC_MIME_BOGUSCT1 Content-Type =~ /^(? Hmmm... For some reason I do not understand, the anchor doesn't work, so: describe SCC_MIME_BOGUSCT1 Bogus /mixed

Re: Weird new malware

2017-11-08 Thread Dianne Skoll
On Wed, 8 Nov 2017 11:49:38 -0800 (PST) Jim Dunphy wrote: > header J_BAD_CONTYPE Content-Type !~ > /^(application|audio|image|message|multipart|text|video|x-)/i For messages that lack a content type header, I guess you need the [if-unset:] tag at the end: [if-unset:

Re: Weird new malware

2017-11-08 Thread Jim Dunphy
Another method. The content header field is defined to have these values for the type. header J_BAD_CONTYPEContent-Type !~ /^(application|audio|image|message|multipart|text|video|x-)/i score J_BAD_CONTYPE 0.1 describe J_BAD_CONTYPE invalid content type declared in header of the message

Re: Weird new malware

2017-11-08 Thread Bill Cole
On 8 Nov 2017, at 14:12, Bill Cole wrote: On 8 Nov 2017, at 11:16, Dianne Skoll wrote: On Wed, 8 Nov 2017 11:02:16 -0500 Rob McEwen wrote: This seems to be catching most of them: Subject: Invoice [A-Z]{2,3}\d{7}\b Yes, that'll work. Maybe a better approach is a

Re: Weird new malware

2017-11-08 Thread Bill Cole
On 8 Nov 2017, at 11:16, Dianne Skoll wrote: On Wed, 8 Nov 2017 11:02:16 -0500 Rob McEwen wrote: This seems to be catching most of them: Subject: Invoice [A-Z]{2,3}\d{7}\b Yes, that'll work. Maybe a better approach is a combo rule that looks in the headers for

Re: Weird new malware

2017-11-08 Thread Kevin A. McGrail
Ty can you throw me a sample? I also think I am blocking it with me and will post on that list about it once i analyze it a bit. Regards, KAM On November 8, 2017 7:45:28 AM PST, Dianne Skoll wrote: >Hi, > >Heads-up: We're seeing weird new malware with a subject that

Re: Weird new malware

2017-11-08 Thread Dianne Skoll
On Wed, 8 Nov 2017 11:02:16 -0500 Rob McEwen wrote: > This seems to be catching most of them: > Subject: Invoice [A-Z]{2,3}\d{7}\b Yes, that'll work. Maybe a better approach is a combo rule that looks in the headers for Content-Type: .*art/mixed but NOT multipart/mixed

Re: Weird new malware

2017-11-08 Thread Rob McEwen
This seems to be catching most of them: Subject: Invoice [A-Z]{2,3}\d{7}\b ...but it might need to be combined with other things to ensure no false positives, since there would be a rare legit message that would hit on this? --Rob McEwen On 11/8/2017 10:45 AM, Dianne Skoll wrote: Hi,